Cryptography for Mere Mortals #1

An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

Q: Isn’t Format-Preserving Encryption easy to break because the output is all plaintext, so there are fewer possible ciphertexts? For example, if you encrypt a four-digit number, there are only 10,000 possibilities.

A: No. The strength of the encryption is based on the key size, not the number of possible outputs. So for 128-bit AES, there are 2128 possible keys, no matter how short the input is.

Certainly it is true that, since there are only 10,000 possible values, many of those keys will result in the same output for a given input. But finding one of those key/ciphertext/plaintext matches doesn’t mean that the same key will produce the correct result for another ciphertext.

Note that with Format-Preserving Encryption, the attacker cannot even skip past keys based on implausible output—that is, if you know you’re decrypting a four-digit number, with traditional AES you can ignore any keys that don’t produce a four-digit number on decrypt. But with FPE, they all produce four-digit numbers, so you have even less ability to winnow the wheat from the chaff.

To help understand key strength further, check out www.youtube.com/watch?v=koJQQWHI-ZA, in which Terence Spies, CTO of Voltage Security, uses a whiteboard to demonstrate just how huge the number of keys really is.